The Internal Control Committee is driven by the Internal Control Department, which validates directions and priorities with regard to improving the internal control framework, developing the network of internal control managers and the tools used to perform internal control tasks. This Department monitors variations related to Internal Control relating to expectations and market practices.
The Internal Audit Department audits major processes and checks on the application of Group principles and standards. Its work is carried out by a central team that reports directly to the Chief Executive Officer.
Internal Audit assignments are submitted to the General Management and the Audit Committee. With the approval of those committees, they result in an annual audit plan that takes account of the Group’s risk mapping, the entities’ contributions to the Group’s key economic indicators, and the historical precedence and results of previous audits.
The risk level assessment carried out by the Zone Departments and experts in the different functions is also a determining factor in the elaboration of the annual audit plan.
In 2023, the Internal Audit Department carried out 51 assignments, 24 of which involved auditing entities (commercial entities, factories, international marketing and research & innovation departments) and 19 of which were on targeted processes at Group, Zone or Country level. In addition, five assignments were carried out on the cyber security programme and three were dedicated to certain objectives of the L’Oréal for the Future programme.
Each audit assignment results in a report that sets out the corresponding findings and risks, and that proposes an action plan and recommendations for the audited entity. The Internal Audit Department monitors and measures these action plans, then reports the rate of progress to the Departments in question.
To conduct its work, Internal Audit relies on the Group’s integrated ERP software. It has developed a number of specific transactions to improve the identification of potential weaknesses in sensitive processes. Data analysis capabilities are strengthened each year. They enhance the standard analyses developed by Internal Audit and the use of dashboards and analysis tools that the businesses are continually developing for their own management needs.
To carry out its work, the Internal Audit Department uses an integrated GRC (Governance, Risk, Compliance) tool, which enables it to consolidate in real time the progress made on the action plans of audited entities. Shared with the Internal Control function, this tool represents an integrated collaborative platform for the implementation of action plans.
In addition to its role of monitoring the application of the Internal Control system, the Internal Audit Department carries out cross-functional analyses with regard to possible Internal Control weaknesses based on findings noted during its assignments. These analyses direct the work of the Internal Control Committee and identify the priority areas for improvement and strengthening of procedures.
The achievement of the audit plan, the results of assignments and the progress of the action plans are presented to General Management on a regular basis and to the Audit Committee and the Statutory Auditors annually.
The Group’s Global IT Department determines the strategic orientations of its IT systems. In particular, it implements ERP, a management software which is used by the vast majority of the Group’s commercial subsidiaries, factories and logistics services. It also supports the digital transformation of the Group by developing the use of Cloud services (SaaS, IaaS, PaaS) and connected objects.
Within the Department, the Information Systems Security Department manages the Information Systems Security Policy. Consistent with market standards (ISO 27001/27002, NIST), this policy covers the main topics of IT security, including the protection of personal data. It describes general principles to be applied for each topic. This ensures that the Group’s Information Systems teams, and by extension, all employees, share clear objectives, best practices and levels of control that are appropriate for the risks (notably, the risk of cyber attacks). This policy is accompanied by an independent information systems security audit programme and two codes of practice: the Information and Communication Technologies Code of Practice, and the Code of Good Practice for the use of Social Media.
This Department comprises the Packaging and Development, Purchasing, Industrial Strategy and Operational Excellence, Quality, EHS (Environment, Health, Safety), Supply Chain and Information Systems (production) departments. It defines the overall Operations strategy worldwide and defines the standards and methods applicable in the areas of quality, safety and the environment for deployment in all the countries in which the Group operates. It manages the Group’s comprehensive strategy to enable the Operations teams in the operational Divisions and the Zones to implement innovation, purchasing, quality, security, environmental manufacturing and supply chain policies that are relevant to the markets. It conducts a worldwide Quality-EHS audit programme, assessing the Group’s sites and suppliers of direct purchases. It establishes and trains the business communities of these departments.
In line with the Group’s Code of Ethics, buyers have had access to a practical and ethical guide, “The Way We Work with our Suppliers”, since 2011. This guide covers everything they need to know when working with the Group’s suppliers. In addition, buyers complete online learning programmes based on the Group’s “The Way We Compete” and “The Way We Prevent Corruption” guides.
The standard for managing suppliers and tender procedures specify the conditions for competitive tendering and for the registration of the main suppliers. The general terms of purchase form the framework for transactions with suppliers. The “Standard for supplier management (Source to contract)” facilitates and strengthens control of spending and investments.